🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-terraform-aws-compliance
Overview
69Dashboards
357Benchmarks
357Queries
2Variables
GitHub

Control: SNS topic policies should prohibit public access

Description

Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot be publicly accessed.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.sns_topic_policy_restrict_public_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.sns_topic_policy_restrict_public_access --share

SQL

This control uses a named query:

 with sns_topic_public_policies as (
  select
    distinct (address ) as name
  from
    terraform_resource,
    jsonb_array_elements(
      case when ((attributes_std ->> 'policy') = '')
        then null
        else ((attributes_std ->> 'policy')::jsonb -> 'Statement') end
    ) as s
  where
    type = 'aws_sns_topic_policy'
    and (s ->> 'Effect') = 'Allow'
    and (
      (s ->> 'Principal') = '*'
      or (s -> 'Principal' ->> 'AWS') = '*'
      or (s -> 'Principals' -> 'AWS') @> '["*"]'
      or (s -> 'Principals' -> '*') @> '["*"]'
    )
)
select
  r.address as resource,
  case
    when (attributes_std ->> 'policy') = '' then 'ok'
    when p.name is null then 'ok'
    else 'alarm'
  end status,
  split_part(r.address, '.', 2) || case
    when (attributes_std ->> 'policy') = '' then ' no policy defined'
    when p.name is null then ' not publicly accessible'
    else ' publicly accessible'
  end || '.' reason
  , path || ':' || start_line
from
  terraform_resource as r
  left join sns_topic_public_policies as p on p.name = r.address
where
  r.type = 'aws_sns_topic_policy';

Tags

category = Compliance
plugin = terraform
service = AWS/SNS